Increase gaming performance with NGads V620-series virtual machines

Gaming customers across the world tend to look for the same critical components when choosing their playing environment: Performance, Affordability, and Timely Content. And for gaming in the cloud, there’s a fourth: Reliability.

With these clear guidelines in mind, we are excited to announce the public preview of our new NGads V620-series virtual machines (VMs). This VM series has GPU, CPU, and memory resources balanced to generate and stream high-quality graphics for a performant, interactive gaming experience hosted on Microsoft Azure. The new NGads instances give online gaming providers the power and stability that they need, at an affordable price.   

The NGads V620-series are GPU-enabled virtual machines powered by AMD Radeon PRO V620 GPU and AMD EPYC 7763 CPUs. The AMD Radeon PRO V620 GPUs have a maximum frame buffer of 32GB which can be divided up to 4 ways through hardware partitioning, or by providing multiple users with access to shared, session-based operating systems such as Windows Server 2022 or Windows 11 EMS. 1 The AMD EPYC CPUs have a base clock speed of 2.45 GHz and a boost speed of 3.5 GHz. VMs are assigned full cores instead of threads, enabling full access to AMD’s powerful Zen 3 cores.

NGads instances come in four sizes, allowing customers to right-size their gaming environments for the performance and cost that best fits their business needs.

The two smallest instances rely on industry-standard SR-IOV technology to partition the GPUs into one-fourth and one-half instances, enabling customers to run workloads with no interference or security concerns between users sharing the same physical graphics card.

The VMs also feature the AMD Software Cloud Edition, which targets the same optimizations available in the consumer gaming version of the Adrenaline driver but is further tested and optimized for the cloud environment.

Instance ConfigsvCPU (Physical Cores)GPU Memory (GiB)GPU Partition Size  Memory (GiB)Azure Network (Gbps)Standard_NG8ads_V620_v188¼ GPU1610Standard_NG16ads_V620_v11616½ GPU3220Standard_NG32ads_V620_v132321x GPU6440Standard_NG32adms_V620_v132321x GPU17640

The NGads V620-series VMs will support a new AMD Cloud Software driver that comes in two editions: A Gaming driver with regular updates to support the latest titles, as well as a Professional driver for accelerated Virtual Desktop environments, with Radeon PRO optimizations to support high-end workstation applications.

Microsoft Azure, do more with less

Deployment in Azure enables gaming and desktop providers to take advantage of the infrastructure investments put in place by Microsoft in data centers across the world. This gives our customers the ability to only pay for what they use. They can depend on an infrastructure framework that is constantly kept up to date with highly reliable uptime. Customers can innovate faster to differentiate their offerings and provide customers with a richer experience. As our customers’ business needs expand, they can benefit from the economies of scale available from Azure. In addition, customers can build a more complete and robust solution through integration with the broad range of cloud services for storage, networking, and application management available as part of the Azure offerings.

Flexible workloads, flexible costs

High-performance GPU-accelerated workloads have always ranged from workstation design apps to VDI and simulation rendering. Each of these has the potential to tax even powerful graphics boards. Gaming workloads bring the additional challenges of requiring very fast graphics remoting—the interactive transfer of graphics and user controls over the internet. Further, there is a wide variety of games, connection types, and resolutions available to the user.

The NGads V620-series helps resolve these challenges by providing support for a range of visualization applications so that gaming or desktop service providers can optimize for precisely the experiences expected by the end users. Service provider customers can choose the right-sized VM that will best serve their needs without over-allocating resources. As the needs of their offering change, the common software support across VMs allows service providers to shift to a VM size with either a higher or lower GPU partition, or to shift capacity to other regions of the world as their business footprint expands.

Performance powered by AMD GPU and CPU

The NGads V620-series combines AMD Radeon™ GPU and Epyc™ CPU technology to provide a powerful and well-balanced environment for hosting rich and highly-interactive cloud services. 

The AMD Radeon PRO V620 GPU is based on AMD’s RDNA™ 2 Architecture, AMD Software, and AMD Graphics Virtualization technology. 

Each AMD Radeon PRO V620 GPU is equipped with 32MB of GDDR6 dedicated memory, a 256-bit memory interface with up to 512GB/s bandwidth, and ECC support for data correction.  To enhance the user experience, they are designed with hardware raytracing using 72 Ray Accelerators, 4608 Stream Processors, and a peak Engine Clock of 2200 MHz.

The AMD software supports the DirectX® 12.0, OpenGL®4.6, OpenCL™ 2.2, and Vulkan® 1.1 APIs for broad compatibility with gaming and graphics applications.  This enables the NG series VMs to support a very broad range of workloads from cloud gaming, GPU-enhanced VDI, and GPU-intensive Workstation-as-a-Service solutions.

The NGads V620-series uses GPU Partitioning to virtualize the GPU and provide partitions from the full 32 GB memory size (1x GPU), 16GB (one-half GPU), or 8GB (one-fourth GPU).  The Azure GPU Partitioning is based on the PCIe standard SR-IOV extension, which provides a highly predictable and secure method to host multiple independent user environments on the same hardware GPU board.

The AMD EPYC 7763 CPU is built on the 7nm process technology, featuring AMD Zen 3 cores, Infinity Architecture, and the AMD Infinity Guard suite of security features. The AMD EPYC CPUs have a base clock speed of 2.45GHz and a boost clock speed of 3.5 GHz to allow the user to take advantage of a single powerful core when required by the application.

Learn more about NGads V620-series

Customers can sign up for the NGads V620-series preview today. NGads V620-series VMs are initially available in the East US2, Europe West, and West US3 Azure regions.

Footnotes

EPYC-018: Max boost for AMD EPYC processors is the maximum frequency achievable by any single core on the processor under normal operating conditions for server systems
The post Increase gaming performance with NGads V620-series virtual machines appeared first on Azure Blog.
Quelle: Azure

Azure Virtual WAN now supports full mesh secure hub connectivity

In May 2023, we announced the general availability of Routing intent and routing policies for all Virtual WAN customers. This feature is powered by the Virtual WAN routing infrastructure and enables Azure Firewall customers to set up policies for private and internet traffic. We are also extending the same routing capabilities to all Firewall solutions deployed within Azure Virtual WAN including Network Virtual Appliances and software-as-a-service (SaaS) solutions that provide Firewall capabilities.

Routing Intent also completes two secured hub use cases wherein users can secure traffic between Virtual WAN hubs as well as inspect traffic between different on-premises (branch/ExpressRoute/SD-WAN) that transits through Virtual WAN hubs.

Azure Virtual WAN (vWAN), networking-as-a-service, brings networking, security, and routing functionalities together to simplify networking in Azure. With ease of use and simplicity built in, vWAN is a one-stop shop to connect, protect, route traffic, and monitor your wide area network.

In this blog, we will first describe routing intent use cases, product experiences, and summarize with some additional considerations and resources for using routing intent with Virtual WAN.

Use cases for Virtual WAN

You can use Routing Intent to engineer traffic within Virtual WAN in multiple ways. Here are the main use cases:

Apply routing policies for Virtual Networks and on-premises

Customers implementing hub-and-spoke network architectures with large numbers of routes often find their networks hard to understand, maintain, and troubleshoot. In Virtual WAN, these routes can be simplified for traffic between Azure Virtual Networks and on-premises (ExpressRoute, VPN, and SD-WAN).

Virtual WAN makes this easier for customers by allowing customers to configure simple and declarative private routing policies. It is assumed that private routing policies will be applied for all Azure Virtual Networks and on-premises networks connected to Virtual WAN. Further customizations for Virtual Network and on-premises prefixes are currently not supported. Private routing policies instruct Virtual WAN to program the underlying Virtual WAN routing infrastructure to enable transit between two different on-premises (1) via a security solution deployed in the Virtual Hub. It also enables traffic transiting between two Azure Virtual Networks (2) or between an Azure Virtual Network and an on-premises endpoint (3) via a security solution deployed in the Virtual Hub. The same traffic use cases are supported for Azure Firewall, Network Virtual Appliances, and software-as-a-service solutions deployed in the hub.

Figure 1: Diagram of a Virtual Hub showing sample private traffic flows (between on-premises and Azure).

Apply routing policies for internet traffic

Virtual WAN lets you set up routing policies for internet traffic in order to advertise a default (0.0.0.0/0) route to your Azure Virtual Networks and on-premises. Internet traffic routing configurations allow you to configure Azure Virtual Networks and on-premises networks to send internet outbound traffic (1) to security appliances in the hub. You can also leverage Destination-Network Address Translation (DNAT) features of your security appliance if you want to provide external users access to applications in an Azure Virtual Network or on-premises (2).

Figure 2: Diagram of a Virtual Hub showing internet outbound and inbound DNAT traffic flows.

Apply routing policies for inter-hub cross-region traffic

Virtual WAN automatically deploys all Virtual Hubs across your Virtual WAN in a full mesh, providing zero-touch any-to-any connectivity region-to-region and hub-to-hub using the Microsoft global backbone. Routing policies program Virtual WAN to inspect inter-hub and inter-region traffic between two Azure Virtual Networks (1), between two on-premises (2), and between Azure Virtual Networks and on-premises (3) connected to different hubs. Every packet entering or leaving the hub is routed to the security solution deployed in the Virtual Hub before being routed to its final destination.

Figure 3: Diagram of inter-region and inter-hub traffic flows inspected by security solutions in the hub.

User experience for routing intent

To use routing intent, navigate to your Virtual WAN hub. Under Routing, select Routing Intent and routing policies.

Configure an Internet or Private Routing Policy to send traffic to a security solution deployed in the hub by selecting the next hop type (Azure Firewall, Network Virtual Appliance, or SaaS solution) and corresponding next hop resource.

Figure 4: Example configuration of routing intent with both Private and Internet routing policy in Virtual WAN Portal.

Azure Firewall customers can also configure routing intent using Azure Firewall Manager by enabling the ‘inter-hub’ setting.

Figure 5: Enabling Routing Intent through Azure Firewall Manager.

After configuring routing intent, you can view the effective routes of the security solution by navigating to your Virtual Hub, then select Routing, and click Effective Routes. The effective routes of the security solution provide additional visibility to troubleshoot how Virtual WAN routes traffic that has been inspected by the Virtual hub’s security solution.

Figure 6: View of getting the effective routes on a security solution deployed in the hub.

Before you get started with this feature, here are some key considerations:

The feature caters to users that consider Virtual Network and on-premises traffic as private traffic. Virtual WAN applies private routing policies to all Virtual Networks and on-premises traffic.

Routing intent is mutually exclusive with custom routing and static routes in the ‘defaultRouteTable’ pointing to Network Virtual Appliance (NVA) deployed in a Virtual Network spoke connected to Virtual WAN. As a result, use cases where users are using custom route tables or NVA-in-spoke use cases are not applicable.

Routing Intent advertises prefixes corresponding to all connections to Virtual WAN towards on-premises networks. Users may use Route Maps to summarize and aggregate routes and filter based on defined match conditions.

Learn more about Azure Virtual WAN

We look forward to continuing to build out Azure Virtual WAN and adding more capabilities in the future. We encourage you to try out the Routing Intent feature in Azure Virtual WAN and look forward to hearing more about your experiences to incorporate your feedback into the product.

How to configure Virtual WAN Hub routing policies

What’s new in Azure Virtual WAN?

Tutorial: Secure your virtual hub using Azure Firewall Manager

Fortinet Next-Generation Firewall

Check Point Cloud Guard for Virtual WAN

Install Palo Alto Networks Cloud NGFW in a Virtual WAN hub

The post Azure Virtual WAN now supports full mesh secure hub connectivity appeared first on Azure Blog.
Quelle: Azure

Explore the latest features for Datadog—An Azure Native ISV Service

Datadog – An Azure Native ISV Service, that brings the power of Datadog’s observability capabilities to Azure, is generally available since 2021. The natively integrated service allows you to monitor and diagnose issues with your Azure resources by automatically sending logs and metrics to your Datadog organization.

The service is easy to provision and manage, like any other Azure resource, using the Azure Portal, Azure Command-Line Interface (CLI), software development kits (SDKs), and more. You do not need any custom code or connectors to start viewing your logs and metrics on the Datadog portal.

The service has continued to grow and has been adopted well by our joint customers. This service is developed and managed by Microsoft and Datadog and based on your feedback, we continue to invest in deeper integrations to make the experience smoother for you. Here are some of the top features shipped recently that we would like to highlight:

Monitor multiple subscriptions with a single Datadog Resource

We are excited to announce a scalable multi-subscription monitoring capability that allows you to configure monitoring for all your subscriptions through a single Datadog resource. This simplifies the process of monitoring numerous subscriptions as you do not need to setup a separate Datadog resource in every single subscription that you wish to monitor.

To start monitoring multiple subscriptions through a single “Datadog—An Azure Native ISV Service” resource, click on the Monitored Subscriptions blade under the Datadog organizations configurations section.

The subscription in which the Datadog resource is created is monitored by default. To include additional subscriptions, click on the “Add subscriptions” button and on the window that opens, select the subscriptions that you want to monitor using the same resource.

We recommend deleting redundant Datadog resources linked to the same organization and consolidating multiple subscriptions into a single Datadog resource wherever possible. This would help avoid duplicate data flow and issues like throttling. For example, in the image shown below, there is a resource named DatadogLinkingTest linked to the same organization in one of the subscriptions. You should ideally delete the resource before proceeding to add the subscription.

Click on Add to include the chosen subscriptions to the list of subscriptions being monitored through the Datadog resource.

The set of tag rules for metrics and logs defined for the Datadog resource apply to all subscriptions that are added for monitoring. If you wish to reconfigure the tag rules at any point, check Reconfigure rules for metrics and logs.

And now you are done. Go to the “Monitored Resources” blade in your Datadog resource and filter the subscription of your choice to check the status of logs and metrics being sent to Datadog for the resources in that subscription.

Likewise, agent management experience for App Services and virtual machines (VMs) also spans multiple subscriptions now. 

Check out Monitor virtual machines using the Datadog agent and Monitor App Services using the Datadog agent as an extension.

If at any point you wish to stop monitoring resources in a subscription via the Datadog resource, you can remove the subscription from the Monitored subscriptions list. In the Monitored Subscriptions blade, choose the subscription you no longer wish to monitor and click on “Remove subscriptions”. The default subscription (the one in which the Datadog resource is created) can’t be removed.

Log forwarder

The automatic log forwarding capability available out of the box with Datadog’s native integration on Azure eliminates time-consuming steps that require you to setup additional infrastructure and write custom code.

We are constantly working to support all resource categories on Azure Monitor to ship logs to Datadog. For customers who have setup monitoring tag rules in an Azure subscription, new resource types or categories get automatically enrolled for sending logs, without the need for customers to manually do any changes to enable new resource types. As of today, the native integration on Azure supports logs from 126 resource types to flow to Datadog.

Cloud Security Posture Management

In the Datadog Azure Native integration, enabling Cloud Security Posture Management (CSPM) for your Azure Resources is a straightforward operation in your Datadog resource. Navigate to the Cloud Security Posture Management blade, click on the checkbox to enable CSPM and click Save. The setting can be disabled at any point.

You can learn more about Datadog’s CSPM product here. 

Mute monitor for expected virtual machine shutdowns

Imagine alerts being sent for expected VM shutdowns and waking you up in the middle of the night. Yikes! Now, with just the click of a checkbox, you can avoid scenarios where Datadog’s disaster prevention alert notifications get triggered during scheduled shutdowns. To mute the monitor for expected Azure Virtual Machine shutdowns, select the checkbox shown below in the Metrics and Logs blade.

Hope you are excited to try out all the cool features highlighted in this blog!

Next steps

If you would like to subscribe to the service, check out Datadog – An Azure Native ISV Service from Azure marketplace.

If you already use the Datadog—an Azure Native ISV Service, and have feedback or feature requests, please share below in the comments.

To learn more about the service, check out our documentation—Get started with Datadog – an Azure Native ISV Service.

Share additional information about how you use resource and subscription logs to monitor and manage your cloud infrastructure and applications by responding to this survey.

The post Explore the latest features for Datadog—An Azure Native ISV Service appeared first on Azure Blog.
Quelle: Azure

New and upcoming capabilities with Elastic Cloud (Elasticsearch)—An Azure Native ISV Service

Microsoft and Elastic partnered together in 2020 to build an Elastic Cloud (Elasticsearch)—An Azure Native ISV Service to create cloud native deeply integrated experiences for all Azure and Elastic customers to power their digital transformation. Since general availability, thanks to you, this service is growing rapidly while improving efficiency for all its customers.

Case in point is that Mr. Turing’s cognitive intelligence software as a service (SaaS) product “Alan”, greatly benefited from the native Elasticsearch offering on Azure and deep integration between products like Azure, GitHub, and Visual Studio Code, as elaborated in their story here:

“On Microsoft Azure, Alan is twice as fast and less costly to operate compared to when he was running on our previous cloud provider. In addition, because of the strong integration between Azure, GitHub, and Visual Studio Code, we can deliver new features faster than we could before.”—Marcelo Noronha, Chief Executive Officer of Mr. Turing (October ’2022).

Microsoft and Elastic are continuously striving to bring more delightful experiences to our customers and enable newer capabilities to usher an era of superfast speed, massive scale, and trustworthy reliability.

Better together with Azure and Elastic Cloud

The core setup of Elastic Cloud (Elasticsearch)—An Azure Native ISV Service makes it simpler for developers and IT administrators to manage their Elastic deployments right from Azure. Users no longer must go through multiple manual steps to integrate Azure with Elastic or manage their own infrastructure.

While this is immensely beneficial, the true power relies on when we can continue to bring Elastic’s newer capabilities natively for Azure customers.

Here are a few of the newest capabilities added since announcing general availability:

Elastic 8.X version support

The Elastic 8.X versions bring enhancements to Elasticsearch’s vector search capabilities, native support for natural language processing models, increasingly simplified data onboarding, and a streamlined security experience. This helps people and teams connect quickly and search enterprise content to find relevant information and insights, enable observability to keep mission critical applications and infrastructure running, and protect entire digital ecosystems from increasingly sophisticated cyber threats. New Elastic deployments created using the Azure native service are automatically set up with the latest Elastic version, so that customers can leverage these enhanced capabilities easily out of the box.

Cluster and user management

Setting up Elastic clusters using the Azure native service ensures provisioning of the right configuration as part of deployment itself. Apart from automated cluster provisioning, we have also enabled user management capabilities where the primary owner or creator of the initial cluster can now add multiple users from the organization to manage the deployments. This helps ensure easy management of production workloads, even when the primary owner changes roles or moves out of the organization.

Private link

For customers who are interested in sending Azure resource and subscription logs to Elastic clusters setup at private link endpoint inside an Azure VNet, we have enabled easy configuration to set this up from right within the native experience. Users have the ability to set traffic filters for Azure private links, to manage how Elastic deployments can be accessed.

Observability resource types

We are constantly working to support all resource categories on Azure Monitor to ship logs to Elastic. For customers who have setup monitoring tag rules in an Azure subscription, new resource types and categories get automatically enrolled for logs shipping, without the need for customers to manually do any changes to enable new resource types. As of now, the Azure native service supports logs shipping from 126 resource types to flow to Elastic.

Region expansion

Azure and Elastic teams have been continuously partnering to add additional regions support, to be available closer to where customers need the native offering and data residency. As of now, we support 16 Azure regions (including four new regions—South Africa North, Central India, Brazil South and Canada Central) for the Elastic Cloud (Elasticsearch)—An Azure Native ISV Service, and we are on the path to grow to additional regions.

Looking at the future

Here are some of the key capabilities that Microsoft and Elastic teams are working together to bring to you in the next six months:

Elastic version selection

Currently, the Elastic Cloud (Elasticsearch)—An Azure Native ISV Service automatically takes care of setting up Elastic with the right configuration and the latest cluster version. We heard from customers that there might be situations where the user consciously wants to create new resources leveraging an older Elastic version to support compatibility with their overall technology architecture. We are planning to address that by offering the flexibility to customers to select the Elastic version from right within the Azure portal experience.

Billing visibility enhancements

Given that today we support Elastic deployments to be set up across multiple Azure subscriptions—while still retaining the ability for customers to receive a unified bill—we are planning multiple enhancements on the native offering experience to bring visibility and transparency to billing resource and deployments that the usage and billing correspond to, so that customers can correlate better, optimize costs, or raise requests for support in case something is out of place.

Native experience for Elastic customers on standard Azure marketplace listing

Customers who started using Elastic on Azure by subscribing to the standard marketplace offer before the native offering went live, are missing out on the deep integration capabilities that the native Elastic Cloud (Elasticsearch service) brings to the table. Microsoft and Elastic teams are working together to migrate these customers to the Azure native service seamlessly, so that customers can get the added integration benefits.

There are many more exciting capabilities being planned for customers beyond the next six months, stay up to date with the latest news on the Microsoft Azure blog.

Next steps

Subscribe to the Elastic Cloud (Elasticsearch)—An Azure Native ISV Service from Azure marketplace.

To learn more about the Elastic Cloud (Elasticsearch)—An Azure Native ISV Service, check out our documentation on the Elastic integration with Azure.

Watch the Microsoft Ignite session The Elastic on Microsoft Azure Native Integration Story: Helping Customers Turn Challenges to Advantages presented by Elastic.

Share additional information about how you use resource and subscription logs to monitor and manage your cloud infrastructure and applications by responding to this survey.

The post New and upcoming capabilities with Elastic Cloud (Elasticsearch)—An Azure Native ISV Service appeared first on Azure Blog.
Quelle: Azure

Navigating the SPACE between productivity and developer happiness

Early in my career, I worked as a developer and system administrator. I loved my teams and projects and noticed that many of the things engineers talked about when we were really getting work done (“being productive”) just didn’t make it to the weekly or monthly reports our management seemed to care about. For example, the reports only captured a few things, like the tests we had executed in burndown charts and the number of bugs closed. And while those things were important, they missed the rest of the important work we did that really contributed to our projects shipping and our systems staying online, like being able to focus, working well with teams, and solving hard problems. To reflect our renewed focus on the overall developer experience, I am excited to share that we are rebranding Developer Velocity Lab to Developer Experience Lab. And that’s just the start.

The SPACE framework and new joint research with Vista Equity Partners to help developers

Metrics that only look at activities, or purely focus on speed and volume don’t capture the important capabilities required to make a project successful. They also miss the ways that tools, culture, and processes intersect to help or hinder the code’s journey to the customer. I realized that by focusing on output instead of outcomes, organizations were only getting a partial view of what it means to make an impact building systems and software; this is truer today than ever before with increasingly complex systems and changing market and customer demands.

This led me to a line of research that became my first book, Accelerate: the Science of Lean Software and DevOps. Exploring these ideas further with Microsoft and GitHub, we released the SPACE framework, which presents a holistic framework to evaluate developer productivity using five dimensions: Satisfaction, Performance, Activity, Communication, and Efficiency. We also investigated ways to help developers have better days more consistently and found the developer experience is a central factor in not only personal productivity, but also well-being and satisfaction; the Good Day Project shares our findings and continues to influence teams and projects.

Today, Microsoft and GitHub are expanding this vision by applying our research to help build tools and environments that help developers do what they do best: create. As part of this effort, we’re announcing new research with Vista Equity Partners, a leading global asset manager with more than two decades of experience investing exclusively in enterprise software, data, and technology-enabled organizations. 

Beyond velocity: A holistic way to understand software developers

Productivity in the software world can’t be boiled down to lines of code written, commits made, or pull requests completed. Often, fewer lines of elegant, easy-to-read code are better than large, complex blocks.

There is much more to developers’ work than just writing code, too. Developers contribute to the success of their teams by doing work that doesn’t show up in traditionally-measured activity metrics. For example, there are stand-up meetings and collaborations that help a software project stay on course, we contribute to project docs and architectural diagrams, and there are times you just grab coffee to mentor or stop by to help debug some code. How do we fold these intangibles into the productivity discussion?

We also know there’s a strong correlation between process efficiency and job satisfaction. Streamlining tasks and processes can help facilitate developers’ abilities to find their flow state and string together those good, productive days.

By shifting the name of Microsoft and GitHub’s joint research lab from the Developer Velocity Lab to the Developer Experience Lab, we’re putting developers and their experience at the center of this discussion and focusing on a holistic approach that considers the individual, organizational, and community outcomes that really matter. The SPACE framework was developed to make sense of this complexity; beyond that, the SPACE framework gives us a multi-dimensional blueprint for creating fulfilling experiences that recognize support developer happiness and well-being are key components of work and productivity.

The new Developer Experience Lab

The goals for our work at Microsoft and GitHub through the Developer Experience Lab are to remove friction in the developer experience, advance DevOps practices, and resolve the technical and real-world inefficiencies that keep code from reaching the cloud.

As part of that, this week we’re announcing new research with Vista Equity Partners that provides a deeper look into what developers want and need.

As expected, our research found that the capabilities and user experience of development tools play a huge role in developers’ ability to focus and innovate—and the importance of tools goes beyond just providing a place to code. Over the past few years, remote and hybrid work has become the norm, and developers rely on their tools to facilitate the collaboration, connection, and work processes that are so critical to building software. 

Findings like these are guiding how we think about supporting developers in the field. The Developer Experience Lab is connecting what we’re learning about developer happiness to our policy guidance and to Microsoft’s next generation of developer tools, including some groundbreaking work with AI.

AI as your copilot

Along with the monumental shift to hybrid work, AI is making headlines across industries. We’re already seeing its impact on software development, and we’re imagining ways to pair AI tools with human programmers to amplify developers’ abilities and help spark innovation.

To this end, we’ve developed and released GitHub Copilot, an AI assistant across GitHub apps. As the name implies, Github Copilot is a tool that works alongside people to augment and assist their work. For developers, that means handling tasks that would typically cause an interruption, such as locating a code library, building repetitive infrastructure, or spotting bugs. Native GitHub Copilot integrations simplify everything from pull requests to code reviews, and they’re delivered through an engaging, streamlined interface.

Looking ahead, we’re also thinking about how we can use AI to help organizations evaluate their level of skill, productivity, and developer happiness within the context of SPACE. By helping organizations find the most useful metrics for their environment and applying advanced analytics, we can make it easier for them to optimize processes and engage with developers.

Developers, too, have long found value in tracking their own productivity, both to assess their own skills and methodologies, and to improve collaboration. We’ll continue to innovate here as well, exploring how to deliver high-value insights so developers can get the most of out their days.

Providing the right experience to build better code

As the demand for software innovation continues to boom, there is increasing pressure on developers tasked with building the future. Studying their complex world of code, products, policies, communities, and culture is a passion of mine.

I’m excited to be a researcher here at Microsoft, where we can reimagine and research the future of the developer experience. The Developer Experience Lab team is a group of experts from a variety of backgrounds conducting socio-technical research. This allows us to ask deep, interesting questions about the developer experience and how to best enable it, and then amplify those findings through new tools, technologies, and best practices.

Learn more about the Developer Experience Lab

We are still in the early stages of this journey, and we hope you’ll join us on the ride. You can stay up to date on everything we’re working on at Developer Experience Lab.
The post Navigating the SPACE between productivity and developer happiness appeared first on Azure Blog.
Quelle: Azure

Microsoft Azure security evolution: Embrace secure multitenancy, Confidential Compute, and Rust

In the first blog of our series on Azure Security, we delved into our defense-in-depth approach for tackling cloud vulnerabilities. The second blog highlighted our use of variant hunting to detect patterns of vulnerabilities across our services. In this installment, we will introduce our game-changing bets that will enable us to deliver industry-leading security architectures with built-in security for years to come, ensuring a secure cloud experience for our customers. We will discuss our focus on secure multitenancy and share our vision for harnessing the power of Confidential Compute and the Rust programming language to protect our customers’ data from cyber threats. By investing in groundbreaking security strategies, such as Secure Multitenancy, Confidential Compute, and the Rust programming language, Azure provides customers with robust, built-in security measures that not only protect their data but also enhance the overall cloud experience, giving customers the confidence to innovate and grow their businesses securely.

Secure multitenancy with robust compute, network, and credential isolation

In our first blog, we touched on the benefits we’ve seen from improvements in compute, network, and credential isolation. Now, we want to dive deeper into what this means. For compute isolation, we’re investing heavily in hardware-based virtualization (HBV), the foundation of running untrusted code in Azure. Traditional Virtual Machines are at the core of many Azure Services hosting customer workloads. Our current bounty of up to USD250,000 on Microsoft Hyper-V vulnerabilities demonstrates our strong defense and highlights the importance of this boundary.

Our innovations with HBV extends beyond traditional virtual machines (VMs). Azure Container Instances (ACI) serve as our platform for running container workloads, utilizing HBV to isolate container groups from each other. ACI container groups take advantage of the same HBV that powers Azure Virtual Machines, but they offer a platform tailored for modern container-based applications. Numerous new and existing services are moving to ACI as a simple, high-performance model for secure multitenancy. Building services atop secure foundations like ACI enables us to address many isolation problems centrally, allowing multiple services to benefit from fixes simultaneously. Furthermore, we’re excited to introduce HBV to Kubernetes workloads via industry-standard Kata Container support in Azure Kubernetes Service. Similar to ACI container groups, Kata Container pods utilize HBV for robust isolation of untrusted workloads. In the coming months, we’ll share more about our efforts to bring this approach to WebAssembly hosting, boasting single-millisecond overhead compared to hosting WebAssembly without HBV. For network isolation, we’re shifting services towards dedicated virtual networks per tenant and ensuring support for Private Links which enable our services to communicate directly with customer-managed virtual networks. Shared networks have proven error-prone, with mistakes in network Access Control Lists or subnets leading to inadequate network isolation between tenants. Dedicated virtual networks make it difficult to accidentally enable connectivity between tenants that should remain separate.

Credential isolation, on the other hand, involves using credentials scoped to the resources of a single tenant whenever possible. Employing credentials with minimal permissions ensures that even if vulnerabilities are discovered, credentials providing access to other tenants’ data aren’t readily available.

Through significant investments in HBV and a focus on compute, network, and credential isolation, Azure is providing customers with enhanced security and isolation for their workloads. By developing innovative solutions such as Azure Container Instances, and bringing HBV to Kubernetes and WebAssembly hosting, we are creating a robust and secure multitenancy environment that protects data and improves the overall cloud experience. As we continue to strengthen Azure’s security foundation, we are also exploring new opportunities to further enhance our defense-in-depth approach. In the next section, we will discuss the role of Confidential Compute in adding an extra layer of protection to our customers’ data and workloads.  

Confidential Compute: A new layer of defense

Since the dawn of cloud computing in Azure, we’ve recognized the crucial role of HBV in running customer workloads on VMs. However, VMs only protect the host machine from malicious activity within the VM. In many cases, a vulnerability in the VM interface could allow a bad actor to escape to the host, and from there they could fully access other customers’ VM. Confidential Compute presents a new layer of defense against these attacks by preventing bad actors with hosting environment access from accessing the content running in a VM. Our goal is to leverage Confidential VMs and Confidential Containers broadly across Azure Services, adding this extra layer of defense to VMs and containers utilized by our services. This has the potential to reduce the blast radius of a compromise at any level in Azure. While ambitious, one day using Confidential Compute should be as ubiquitous as other best practices have become such as encryption in transit or encryption at rest.

Rust as the path forward over C/C++

Decades of vulnerabilities have proven how difficult it is to prevent memory-corrupting bugs when using C/C++. While garbage-collected languages like C# or Java have proven more resilient to these issues, there are scenarios where they cannot be used. For such cases, we’re betting on Rust as the alternative to C/C++. Rust is a modern language designed to compete with the performance C/C++, but with memory safety and thread safety guarantees built into the language. While we are not able to rewrite everything in Rust overnight, we’ve already adopted Rust in some of the most critical components of Azure’s infrastructure. We expect our adoption of Rust to expand substantially over time.

Our unwavering commitment

Our commitment to secure multitenancy, Confidential Compute, and Rust represents a major investment that we’ll be making in the coming years. Fortunately, Microsoft’s security culture is among the strongest in the industry, empowering us to deliver on these ambitious bets. By prioritizing security as an integral component of our services, we are helping our customers to build and maintain secure, reliable, and scalable applications in the cloud, while ensuring their trust in our platform remains steadfast. 

Learn more

Read the previous two blogs in this series to learn how Azure leverages a defense-in-depth security approach and cloud variant hunting to learn from vulnerabilities and layer protection throughout every phase of design, development, and deployment.

Explore the built-in security features in our cloud platforms and technologies that help you be secure from the start. 

Join Azure Security engineering experts at Microsoft Build to engage in live Q&A around Azure’s robust defense-in-depth strategies, the intriguing world of cloud variant hunting, and maintaining secure multitenancy. Don’t miss this chance to enhance your skills and remain at the forefront of the ever-changing cybersecurity landscape.

The post Microsoft Azure security evolution: Embrace secure multitenancy, Confidential Compute, and Rust appeared first on Azure Blog.
Quelle: Azure

Microsoft Build 2023: Innovation through Microsoft commercial marketplace

As we look forward to Microsoft Build 2023, I am inspired by the innovation coming from our ISV partners and SaaS providers building on the Microsoft Cloud.

In the past year, we’ve seen large-scale, generative AI models support the creation of new capabilities that expand our vision of the possible, improve productivity, and ignite creativity. The general availability of Azure OpenAI Service is helping developers apply these models to a variety of use cases such as natural language understanding, writing assistance, code generation, data reasoning, content summarization, and semantic search. With Azure’s enterprise-grade security and built-in responsible AI, the rate of innovation is growing exponentially.

Making new strides in AI

The Microsoft commercial marketplace makes it possible for customers to find, purchase, and deploy innovative applications and services to drive their business outcomes. At Microsoft Build 2023, we’re proud to highlight several partners with AI solutions available in the marketplace:

Orkes empowers developers to easily build reliable and secure AI applications, tools, and integrations on Azure with the Conductor open source microservices orchestration platform. With built-in elastic scaling and reliability, teams can more quickly bring applications to market.

Run:ai helps companies deliver AI faster and bridge the gap between data science and computing infrastructure by providing a high-performance compute virtualization layer for deep learning, which accelerates the training of neural network models and enables the development of large AI models to help organizations in every industry accelerate AI innovation.

Statsig allows any company to experiment like big tech at a fraction of the cost. With advanced feature management tools such as automated A/B testing and integrated product analytics, developers can use data insights to learn faster and build better products.

Explore security solutions with our partners

As AI is experiencing rapid growth, security has never been more important. Companies of all sizes and across every industry are increasing their investments in cybersecurity. Partners specializing in security solutions that run on the Microsoft Cloud help customers reduce costs, close coverage gaps, and prevent even the most sophisticated attacks.

At Microsoft Build 2023, we’re excited to feature select partners with security solutions offered in the marketplace:

Anjuna is a multi-cloud confidential computing platform for complete data security and privacy, featuring a unique trusted execution environment that leverages hardware-level isolation to intrinsically secure data and code in the cloud so enterprises can run applications inside Azure Confidential Computing instances in minutes without code changes.

Kovrr transforms cyber security data into actionable, financially quantified cyber risk mitigation recommendations to manage enterprise cyber risk exposure, inform which security controls to invest in, and provide insights into how to optimize cyber insurance and capital management strategies.

Noname Security protects APIs from attacks in real-time while detecting vulnerabilities and misconfigurations before they are exploited, offering deeper visibility and security than API gateways, load balancers, and well architected frameworks (WAFs) without requiring agents or network modifications.

Manage your cloud portfolio with the Microsoft commercial marketplace

The Microsoft commercial marketplace continues to grow and is becoming customers’ preferred method for managing their entire cloud portfolio.

Through the marketplace, customers can search across thousands of applications and services in a single catalog, creating a one-stop destination for all cloud needs including AI, security, data, infrastructure, and more. Solutions available on the marketplace are validated for compatibility with Microsoft applications, ensuring that customers can buy with confidence and deploy seamlessly on Azure.

For customers with enterprise agreements, purchases can be added directly to an Azure bill, simplifying the purchasing process and reducing the number of vendors to be paid separately. For organizations with a cloud consumption commitment, the entire purchase can count towards remaining commitment. Thousands of applications in the marketplace are eligible to count towards an Azure commitment, including the solutions highlighted above—Orkes, Run:ai, Statsig, Anjuna, Kovrr, and Noname Security. With the Microsoft commercial marketplace, customers can get the innovative solutions needed to stay ahead in a competitive market while maximizing the value of cloud investments.
The post Microsoft Build 2023: Innovation through Microsoft commercial marketplace appeared first on Azure Blog.
Quelle: Azure

Preparing for future health emergencies with Azure HPC

A once-in-a-century global health emergency accelerates worldwide healthcare innovation and novel medical breakthroughs, all supported by powerful high-performance computing (HPC) capabilities.

COVID-19 has forever changed how nations function in the globally interconnected economy. To this day, it continues to affect and shape how countries respond to health emergencies. COVID-19 has demonstrated just how interconnected our society is and how risks, threats, and contagions can have global implications for many aspects of our daily lives.

COVID-19 was the largest global health emergency in over a century, with nearly 762 million cases reported as of the end of March 2023, according to the World Health Organization. The National Centre for Biotechnology Information points out the frequency and breath of new variants that continues to emerge at regular intervals. In response to this intricate health crisis, the global healthcare community quickly mobilized to better understand the virus, learn its behavior, and work toward preventative treatment measures to minimize the damage to lives across the world. Globally, nations mobilized resources for frontline workers, offered social protection to those most severely affected, and provided vaccine access for the billions who need it.

Recent technological innovations have provided the medical community with access to capabilities, such as HPC, that equipped healthcare professionals to better study, understand, and respond to COVID-19. Globally, healthcare innovators could access unprecedented computing power to design, test, and develop new treatments, faster, better, and more iteratively, than ever before.

Today, Azure HPC enables researchers to unleash the next generation of healthcare breakthroughs. For example, the computational capabilities offered by the Azure HPC HB-series virtual machines, powered by AMD EPYCTM CPU cores, allowed researchers to accelerate insights and advances into genomics, precision medicine, and clinical trials, with near-infinite high-performance bioinformatics infrastructure capabilities.

Since the beginning of COVID-19, companies have been leveraging Azure HPC to develop new treatments, run simulations, and testing at scale—all in preparation for the next health emergency. Azure HPC is helping companies unleash new treatments and health cure capabilities that are ushering in the next generation of treatments and healthcare capabilities, across the entire industry.

High-performance computing making a difference

A leading immunotherapy company partnered with Microsoft to leverage the capabilities of Azure HPC’s high-performance computing, in order to perform detailed computational analyses of the spike protein structure of SARS-CoV-2. Due to the critical nature of the spike protein structure and the role it plays in allowing the invasion of human cells, targeting it for study, analyses, and insights, is a crucial step in the development of treatments to combat the virus.

The company’s engineers and scientists collaborated with Microsoft, and quickly deployed HPC clusters on Azure, containing over 1250 core graphic processing units (GPUs). These GPUs are specifically designed for machine learning and similarly intense computational applications. The Azure HPC clusters augmented the company’s existing GPU clusters—which was already optimized for molecular modelling of proteins, antibodies, and antivirals—bringing a truly high-powered scaled engagement approach to fruition.

By collaborating with Microsoft in this way and making use of the massive, networked computing capabilities and advanced algorithms enabled by Azure HPC, the company was able to generate working models in days rather than the months it would have taken by following traditional approaches.

The incredible amount of computing power will help bolster drug discovery and therapeutic developments. By joining forces and bringing together the incredible power of Azure HPC and cutting edge immunotherapies, it helped contribute to the development of models that allowed researchers to better understand the virus, find novel binding sites to fight the virus, and ultimately guide the development of future treatments and vaccines for the virus.

Powering pharmaceutical research and innovation

The healthcare industry is making remarkable strides in the development of cutting-edge treatments and innovations that are geared towards solving some of the world’s greatest healthcare challenges.

For example, researchers are leveraging HPC to transform their research and development effort as well as accelerating the development of new life-saving treatments.

Using a technique producing amorphous solid dispersions (ASD), drug researchers break up active pharmaceutical ingredients and blend them with organic polymers to improve the dissolution rate, bioavailability, and solubility of drug delivery systems. Although a wonder of modern medicine, it is a highly complicated, often lab-based process that can take months.

Swiss-based Molecular Modelling Laboratory (MML), a leader in ASD screening, wanted to pivot its drug research and development to small organic and biomolecular polymers. This approach determines ASD stability prior to formulation, reveals new ASD combinations, enhances drug safety, and helps reduce drug development costs as well as delivery times.

MML chose to leverage Azure HPC resources on more than 18,000 Azure HBv2 virtual machines and to optimize high-throughput drug screening and active pharmaceutical ingredient solubility limit detection, with the aim to alleviate common development hurdles.

The adoption of Azure HPC has helped MML shift from a small start-up to an established business working with some of the top pharmaceutical companies in the world—all in a very short time.

For the global healthcare community, the computational power and scalability of Azure HPC presents an unprecedented opportunity to accelerate pharmaceutical, medical, as well as health innovation. Azure HPC will continue playing a leading role in supporting the healthcare industry to respond optimally to any future global health emergency that may arise.

Next steps

To request a demo, contact HPCdemo@microsoft.com.

Learn more about Azure HPC.

High-performance computing documentation.

View our HPC cloud journey infographic.

The post Preparing for future health emergencies with Azure HPC appeared first on Azure-Blog und Updates.
Quelle: Azure

Insights from the 2023 Open Confidential Computing Conference

I had the opportunity to participate in this year’s Open Confidential Computing Conference (OC3), hosted by our software partner, Edgeless Systems. This year’s event was particularly noteworthy due to a panel discussion on the impact and future of confidential computing. The panel featured some of the industry’s most respected technology leaders including Greg Lavender, Chief Technology Officer at Intel, Ian Buck, Vice President of Hyperscale and HPC at NVIDIA, and Mark Papermaster, Chief Technology Officer at AMD. Felix Schuster, Chief Executive Officer at Edgeless Systems, moderated the panel discussion, which explored topics such as the definition of confidential computing, customer adoption patterns, current challenges, and future developments. The insightful discussion left a lasting impression on me and my colleagues.

What is confidential computing?

When it comes to understanding what exactly confidential computing entails, it all begins with a trusted execution environment (TEE) that is rooted in hardware. This TEE protects any code and data placed inside it, while in use in memory, from threats outside the enclave. These threats include everything from vulnerabilities in the hypervisor and host operating system to other cloud tenants and even cloud operators. In addition to providing protection for the code and data in memory, the TEE also possesses two crucial properties. The first is the ability to measure the code contained within the enclave. The second property is attestation, which allows the enclave to provide a verified signature that confirms the trustworthiness of what is held within it. This feature allows software outside of the enclave to establish trust with the code inside, allowing for the safe exchange of data and keys while protecting the data from the hosting environment. This includes hosting operating systems, hypervisors, management software and services, and even the operators of the environment.

Regarding what is not confidential computing, it is not other privacy enhancing technologies (PETs) like homomorphic encryption or secure multiparty computation. It is hardware rooted, trusted execution environments with attestation.

In Azure, confidential computing is integrated into our overall defense in depth strategy, which includes trusted launch, customer managed keys, Managed HSM, Microsoft Azure Attestation, and confidential virtual machine guest attestation integration with Microsoft Defender for Cloud.

Customer adoption patterns

With regards to customer adoption scenarios for confidential computing, we see customers across regulated industries such as the public sector, healthcare, and financial services ranging from private to public cloud migrations and cloud native workloads. One scenario that I’m really excited about is multi-party computations and analytics where you have multiple parties bringing their data together, in what is now being called data clean rooms, to perform computation on that data and get back insights that are much richer than what they would have gotten off their own data set alone. Confidential computing addresses the regulatory and privacy concerns around sharing this sensitive data with third parties. One of my favorite examples of this is in the advertising industry, where the Royal Bank of Canada (RBC) has set up a clean room solution where they take merchant purchasing data and combine it with their information around the consumers credit card transactions to get a full picture of what the consumer is doing. Using these insights, RBC’s credit card merchants can then offer their consumer very precise offers that are tailored to them, all without RBC seeing or revealing any confidential information from the consumers or the merchants. I believe that this architecture is the future of advertising.

Another exciting multi-party use case is BeeKeeperAI’s application of confidential computing and machine learning to accelerate the development of effective drug therapies. Until recently, drug researchers have been hampered by inaccessibility of patient data due to strict regulations applied to the sharing of personal health information (PHI). Confidential computing removes this bottleneck by ensuring that PHI is protected not just at rest and when transmitted, but also while in use, thus eliminating the need for data providers to anonymize this data before sharing it with researchers. And it is not just the data that confidential computing is protecting, but also the AI models themselves. These models can be expensive to train and therefore are valuable pieces of intellectual property that need to be protected.

To allow these valuable AI models to remain confidential yet scale, Azure is collaborating with NVIDIA to deploy confidential graphics processing units (GPUs) on Azure based on NVIDIA H100 Tensor Core GPU.

Current challenges

Regarding the challenges facing confidential computing, they tended to fall into four broad categories:

Availability, regional, and across services. Newer technologies are in limited supply or still in development, yet Azure has remained a leader in bringing to market services based on Intel® Software Guard Extensions (Intel® SGX) and AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). We are the first major cloud provider to offer confidential virtual machines based on Intel® Trust Domain Extensions (Intel® TDX) and we look forward to being one of the first cloud providers to offer confidential NVIDIA H100 Tensor Core GPUs. We see availability rapidly improving over the next 12 to 24 months.

Ease of adoption for developers and end users. The first generation of confidential computing services, based on Intel SGX technology, required rewriting of code and working with various open source tools to make applications confidential computing enabled. Microsoft and our partners have collaborated on these open source tools and we have an active community of partners running their Intel SGX solutions on Azure. The newer generation of confidential virtual machines on Azure, using AMD SEV-SNP, a hardware security feature enabled by AMD Infinity Gaurd and and Intel TDX, lets users run off-the-shelf operating systems, lift and shift their sensitive workloads, and run them confidentially. We are also using this technology to offer confidential containers in Azure which allows users to run their existing container images confidentially.

Performance and interoperability. We need to ensure that confidential computing does not mean slower computing. The issue becomes more important with accelerators like GPUs where the data must be protected as it moves between the central processing unit (CPU) and the accelerator. Advances in this area will come from continued collaboration with standards committees such as the PCI-SIG, which has issued the TEE Device Interface Security Protocol (TDISP) for secure PCIe bus communication and the CXL Consortium which has issued the Compute Express Link™ (CXL™) specification for the secure sharing of memory among processors. Open source projects like Caliptra which has created the specification, silicon logic, have read-only memory (ROM), and firmware for implementing a Root of Trust for Measurement (RTM) block inside a system on chip (SoC).

Industry awareness. While confidential computing adoption is growing, awareness among IT and security professionals is still low. There is a tremendous opportunity for all confidential computing vendors to collaborate and participate in events aimed at raising awareness of this technology to key decision-makers such as CISOs, CIOs, and policymakers. This is especially relevant in industries such as government and other regulated sectors where the handling of highly sensitive data is critical. By promoting the benefits of confidential computing and increasing adoption rates, we can establish it as a necessary requirement for handling sensitive data. Through these efforts, we can work together to foster greater trust in the cloud and build a more secure and reliable digital ecosystem for all.

The future of confidential computing

When the discussion turned to the future of confidential computing, I had the opportunity to reinforce Azure’s vision for the confidential cloud, where all services will run in trusted execution environments. As this vision becomes a reality, confidential computing will no longer be a specialty feature but rather the standard for all computing tasks. In this way, the concept of confidential computing will simply become synonymous with computing itself.

Finally, all panelists agreed that the biggest advances in confidential computing will be the result of industry collaboration.

Microsoft at OC3

In addition to the panel discussion, Microsoft participated in several other presentations at OC3 that you may find of interest:

Removing our Hyper-V host OS and hypervisor from the Trusted Computing Base (TCB).

Container code and configuration integrity with confidential containers on Azure.

Customer managed and controlled Trusted Computing Base (TCB) with CVMs on Azure.

Enabling faster AI model training in healthcare with Azure confidential computing.

Project Amber—Intel’s attestation service.

Finally, I would like to encourage our readers to learn about Greg Lavender’s thoughts on OC3 2023.

All product names, logos, and brands mentioned above are properties of their respective owners. 
The post Insights from the 2023 Open Confidential Computing Conference appeared first on Azure-Blog und Updates.
Quelle: Azure

Insights from the 2023 Open Confidential Computing Conference

I had the opportunity to participate in this year’s Open Confidential Computing Conference (OC3), hosted by our software partner, Edgeless Systems. This year’s event was particularly noteworthy due to a panel discussion on the impact and future of confidential computing. The panel featured some of the industry’s most respected technology leaders including Greg Lavender, Chief Technology Officer at Intel, Ian Buck, Vice President of Hyperscale and HPC at NVIDIA, and Mark Papermaster, Chief Technology Officer at AMD. Felix Schuster, Chief Executive Officer at Edgeless Systems, moderated the panel discussion, which explored topics such as the definition of confidential computing, customer adoption patterns, current challenges, and future developments. The insightful discussion left a lasting impression on me and my colleagues.

What is confidential computing?

When it comes to understanding what exactly confidential computing entails, it all begins with a trusted execution environment (TEE) that is rooted in hardware. This TEE protects any code and data placed inside it, while in use in memory, from threats outside the enclave. These threats include everything from vulnerabilities in the hypervisor and host operating system to other cloud tenants and even cloud operators. In addition to providing protection for the code and data in memory, the TEE also possesses two crucial properties. The first is the ability to measure the code contained within the enclave. The second property is attestation, which allows the enclave to provide a verified signature that confirms the trustworthiness of what is held within it. This feature allows software outside of the enclave to establish trust with the code inside, allowing for the safe exchange of data and keys while protecting the data from the hosting environment. This includes hosting operating systems, hypervisors, management software and services, and even the operators of the environment.

Regarding what is not confidential computing, it is not other privacy enhancing technologies (PETs) like homomorphic encryption or secure multiparty computation. It is hardware rooted, trusted execution environments with attestation.

In Azure, confidential computing is integrated into our overall defense in depth strategy, which includes trusted launch, customer managed keys, Managed HSM, Microsoft Azure Attestation, and confidential virtual machine guest attestation integration with Microsoft Defender for Cloud.

Customer adoption patterns

With regards to customer adoption scenarios for confidential computing, we see customers across regulated industries such as the public sector, healthcare, and financial services ranging from private to public cloud migrations and cloud native workloads. One scenario that I’m really excited about is multi-party computations and analytics where you have multiple parties bringing their data together, in what is now being called data clean rooms, to perform computation on that data and get back insights that are much richer than what they would have gotten off their own data set alone. Confidential computing addresses the regulatory and privacy concerns around sharing this sensitive data with third parties. One of my favorite examples of this is in the advertising industry, where the Royal Bank of Canada (RBC) has set up a clean room solution where they take merchant purchasing data and combine it with their information around the consumers credit card transactions to get a full picture of what the consumer is doing. Using these insights, RBC’s credit card merchants can then offer their consumer very precise offers that are tailored to them, all without RBC seeing or revealing any confidential information from the consumers or the merchants. I believe that this architecture is the future of advertising.

Another exciting multi-party use case is BeeKeeperAI’s application of confidential computing and machine learning to accelerate the development of effective drug therapies. Until recently, drug researchers have been hampered by inaccessibility of patient data due to strict regulations applied to the sharing of personal health information (PHI). Confidential computing removes this bottleneck by ensuring that PHI is protected not just at rest and when transmitted, but also while in use, thus eliminating the need for data providers to anonymize this data before sharing it with researchers. And it is not just the data that confidential computing is protecting, but also the AI models themselves. These models can be expensive to train and therefore are valuable pieces of intellectual property that need to be protected.

To allow these valuable AI models to remain confidential yet scale, Azure is collaborating with NVIDIA to deploy confidential graphics processing units (GPUs) on Azure based on NVIDIA H100 Tensor Core GPU.

Current challenges

Regarding the challenges facing confidential computing, they tended to fall into four broad categories:

Availability, regional, and across services. Newer technologies are in limited supply or still in development, yet Azure has remained a leader in bringing to market services based on Intel® Software Guard Extensions (Intel® SGX) and AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). We are the first major cloud provider to offer confidential virtual machines based on Intel® Trust Domain Extensions (Intel® TDX) and we look forward to being one of the first cloud providers to offer confidential NVIDIA H100 Tensor Core GPUs. We see availability rapidly improving over the next 12 to 24 months.

Ease of adoption for developers and end users. The first generation of confidential computing services, based on Intel SGX technology, required rewriting of code and working with various open source tools to make applications confidential computing enabled. Microsoft and our partners have collaborated on these open source tools and we have an active community of partners running their Intel SGX solutions on Azure. The newer generation of confidential virtual machines on Azure, using AMD SEV-SNP, a hardware security feature enabled by AMD Infinity Gaurd and and Intel TDX, lets users run off-the-shelf operating systems, lift and shift their sensitive workloads, and run them confidentially. We are also using this technology to offer confidential containers in Azure which allows users to run their existing container images confidentially.

Performance and interoperability. We need to ensure that confidential computing does not mean slower computing. The issue becomes more important with accelerators like GPUs where the data must be protected as it moves between the central processing unit (CPU) and the accelerator. Advances in this area will come from continued collaboration with standards committees such as the PCI-SIG, which has issued the TEE Device Interface Security Protocol (TDISP) for secure PCIe bus communication and the CXL Consortium which has issued the Compute Express Link™ (CXL™) specification for the secure sharing of memory among processors. Open source projects like Caliptra which has created the specification, silicon logic, have read-only memory (ROM), and firmware for implementing a Root of Trust for Measurement (RTM) block inside a system on chip (SoC).

Industry awareness. While confidential computing adoption is growing, awareness among IT and security professionals is still low. There is a tremendous opportunity for all confidential computing vendors to collaborate and participate in events aimed at raising awareness of this technology to key decision-makers such as CISOs, CIOs, and policymakers. This is especially relevant in industries such as government and other regulated sectors where the handling of highly sensitive data is critical. By promoting the benefits of confidential computing and increasing adoption rates, we can establish it as a necessary requirement for handling sensitive data. Through these efforts, we can work together to foster greater trust in the cloud and build a more secure and reliable digital ecosystem for all.

The future of confidential computing

When the discussion turned to the future of confidential computing, I had the opportunity to reinforce Azure’s vision for the confidential cloud, where all services will run in trusted execution environments. As this vision becomes a reality, confidential computing will no longer be a specialty feature but rather the standard for all computing tasks. In this way, the concept of confidential computing will simply become synonymous with computing itself.

Finally, all panelists agreed that the biggest advances in confidential computing will be the result of industry collaboration.

Microsoft at OC3

In addition to the panel discussion, Microsoft participated in several other presentations at OC3 that you may find of interest:

Removing our Hyper-V host OS and hypervisor from the Trusted Computing Base (TCB).

Container code and configuration integrity with confidential containers on Azure.

Customer managed and controlled Trusted Computing Base (TCB) with CVMs on Azure.

Enabling faster AI model training in healthcare with Azure confidential computing.

Project Amber—Intel’s attestation service.

Finally, I would like to encourage our readers to learn about Greg Lavender’s thoughts on OC3 2023.

All product names, logos, and brands mentioned above are properties of their respective owners. 
The post Insights from the 2023 Open Confidential Computing Conference appeared first on Azure-Blog und Updates.
Quelle: Azure